0

Does anyone know how can we get signatures for various protocols e.g. BGP, DHCP, VxLAN etc?

By signatures, I actually mean the pattern (e.g. something like 0x234557888) used for pattern-matching in a Deep-Packet Inspection engine. I want to write a DPI code for detecting some protocols (e.g. the ones mentioned above).

Is there some kind of algorithm for finding the signatures?

HopelessN00b
  • 53,795
  • 33
  • 135
  • 209
user189942
  • 101

1 Answers1

2

Why reinvent the wheel when others out there like the nDPI open source project have already created DPI code for detecting the protocols you mention (BGP, DHCP). VLAN isn't a protocol, VTP is.

http://www.ntop.org/products/ndpi/

nDPI is a ntop-maintained superset of the popular OpenDPI library. Released under the GPL license, its goal is to extend the original library by adding new protocols that are otherwise available only on the paid version of OpenDPI. In addition to Unix platforms, we also support Windows, in order to provide you a cross-platform DPI experience. Furthermore, we have modified nDPI do be more suitable for traffic monitoring applications, by disabling specific features that slow down the DPI engine while being them un-necessary for network traffic monitoring.

nDPI is automatically downloaded when you build ntop and nProbe. However nothing prevents you from using it as a standalone DPI library. The source code can be downloaded from the nTOP SVN.

You asked about algorithms as well, here are a few PDFs to get you started:

A Multi-gigabit Rate Deep Packet Inspection Algorithm using TCAM

A Fast Multi-pattern Matching Algorithm for Deep Packet Inspection on a Network Processor

TheCleaner
  • 32,627
  • 26
  • 132
  • 191
  • I am already familiar with ntop and nDPI. Infact, my question arose only after examining their code that how have they got the signatures for various protocols? – user189942 Sep 19 '13 at 03:19
  • They get the signatures by understanding the RFCs and knowing what a particular protocols packets SHOULD look like. They then unwrap the packets (hence the term DPI) and if the packet doesn't look like it should according to the RFCs and known good packets for that protocol then they likely are to be malicious and therefore flagged. It takes time and a lot of work. You can read these articles: http://www.symantec.com/connect/articles/great-ids-debate-signature-analysis-versus-protocol-analysis / www.datacom.cz/system/files/dpi_white_paper.pdf‎ – TheCleaner Sep 19 '13 at 13:02
  • Oh, and as far as algorithms go...there are ones, but it's over my head...but I'll edit my question with a few PDF examples. – TheCleaner Sep 19 '13 at 13:04